Understanding User Profiles A user profile is a set of data that is used to re-create the user’s environment each time a user logs on. It includes several folders such as Contacts, Cookies, Desktop, Downloads, Favorites, and more. It also includes user-specific Registry settings. As an example, Bob could use a Windows 7 system and have it configured with a left-hand mouse, the Windows 7 Landscapes theme, a weather gadget on his desktop, and several drives mapped to network shares he uses regularly. Each time Bob logs on, these settings are re- created from his profile. Sally could use the same computer with a different Understanding User Profiles 417
user account. She can reconfigure all of these settings, and they will be re-created from her profile each time she logs on, without affecting the settings for Bob. Windows 7 profiles are stored in the%systemroot%\Users folder by default. The Users folder includes the standard profiles of any user who has ever logged on to the system and also the All Users profile and the Default User profile. All Users The All Users profile holds settings that affect all users. As an example, when you install an application, you are often prompted to choose to allow all users access to the program. When you select All Users, the application modifies the All Users profile, ensuring the application is available to any user who logs on to the system. Default User This profile is used when a user first logs on to a system. Windows 7 will copy the Default User profile to a new folder named with the user’s logon name. If Bob logs on, a folder is created named Bob and includes all the data from the Default User profile. This new profile is used to re-create the same environment for the user each time Bob logs on.
There are many differences in how profiles are implemented in Windows XP and Windows 7. The changes occurred between Windows XP and Win- dows Vista. For example, in Windows XP the profile was located under the %systemroot\Documents And Settings\ folder. This was changed to %systemroot%\Users\ in Windows Vista and Windows 7.
If you look in the %systemroot%\Users folder, you won’t see the Default User folder, but it’s there—it’s just hidden. By default, the only folders that a user will see in the %systemroot%\Users\ folder are the Public folder and the profile folders of any users who have logged on. There are many hidden and system-protected folders that don’t show by default, and you can follow these steps to show them: 1. Launch Windows Explorer and browse to the %systemroot%\Users\ folder. 2. Click Organize Folder And Search Options. 3. Select the View tab. 4. Select Show Hidden Files And Folders. 5. Deselect Hide Protected Operating System Files. When prompted, if you’re sure you want to display these files, click Yes. Click OK. You will now see the All Users folder, the Default User folder, and some other folders.
Standard Profiles Profiles stored in the%systemroot%\Users\username folder are referred to as local user pro- files or standard profiles. The profile includes several folders and a Registry hive. Many of the folders and data are system files and hidden by default. Figure 9.14 shows the user profile with hidden and system files showing.
597095c09.indd 417 6/2/10 3:35:06 PM 418 Chapter 9 n Managing Windows 7 in a Domain
Figure 9.14 User profile folder
Folders The folders hold data and settings needed by the user. These include desktop icons and shortcuts, links and shortcuts to other folders, startup applications, and more. Registry hive T h e HKEY_CURRENT_USER portion of the Registry holds user-defined settings for the desktop, applications, printers, and more. These are stored in a file named ntuser.dat.
Roaming Profiles Local user profiles work great if a user logs on to the same system all the time. However, in some organizations users may frequently log on to different systems. Mapped network drives, shortcuts on the desktop, and other elements of the user’s profile are often useful if they’re available to a user no matter where the user logs on. Roaming profiles can be imple- mented to ensure the same profile is available to a user no matter which computer is used. Figure 9.15 shows how roaming profiles are used. A folder is shared on a server that is available to the user on the network, and the user’s account is then configured to use this share for the profile. When the user logs on to a computer, the profile is retrieved from the network share and copied onto the local computer. If the user makes any changes, these changes are copied up to the roaming profile on the network share. If a user then moves to a different computer and logs on, the profile is copied down to the different computer.
597095c09.indd 418 6/2/10 3:35:06 PM Understanding User Profiles 419
Figure 9.15 Using roaming profiles in a domain
FS1
\\FS1\Profiles\UserName
Roaming profiles can be implemented only in a domain. The two steps used to create a roaming profile are as follows: 1. Create a share on a server. This share needs to be accessible to users using the UNC path (\\ServerName\ShareName). If more than one user will use this share, the Authenticated Users group should be granted Full Control. It’s not necessary to create the folder for each user because this can be created automatically. 2. Modify the domain user account. The Profile tab of the user account Properties page includes a Profile Path text box. The UNC path to the share is added here and appended with the %UserName% variable, giving a full path of \\ServerName\ShareName\%UserName%. When the user logs on, a folder will be created within the share with the appropriate per- missions for the user to access the folder. Exercise 9.6 demonstrates how to implement roaming profiles.
Exercise 9.6
Implementing Roaming Profiles 1. Start the domain controller and log on.
2. Create a shared folder to store the user profiles with the following steps:
a. Start Windows Explorer by clicking Start Computer.
b. Double-click the C: drive. Right-click the main Windows pane and click New Folder. Name the folder Profiles or another name that matches your company’s needs.
c. Select Share from the Windows Explorer toolbar.
d. Type Authenticated Users in the text box, and click Add. (You can also click Find And Search and use the Active Directory search tool to locate any group.) Change Reader to Contributor.
e. Click Share. Click Done.
597095c09.indd 419 6/2/10 3:35:07 PM 420 Chapter 9 n Managing Windows 7 in a Domain
Exercise 9.6 (continued)
3. Launch Active Directory Users and Computers by clicking Start Administrative Tools Active Directory Users And Computers.
4. Locate a user account. Right-click the user account and click Properties.
5. Select the Profile tab. Enter the UNC path to the share in the Profile Path text box, as shown in the following graphic. For my test bed, I created the Profiles share on DC1, so the full path is \\DC1\Profiles\%UserName%. Click OK.
If you look in the Profiles folder now, you won’t see anything. However, the next time the user logs on, a folder will be created for the user in the UNC path. Figure 9.16 shows an example of what this looks like for a user. Notice that since the %UserName% variable was used, the folder was created using the user name. The V2 indicates to the operating system that this roaming profile is using the newer format of profiles that was implemented with Windows Vista. The operating system also configures the NTFS permissions for the folder. The user and the system both have full control of the folder, but no other users are granted any access to the data in the folder.
597095c09.indd 420 6/2/10 3:35:07 PM Understanding User Profiles 421
Figure 9.16 Roaming profiles created for a user
Mandatory Profiles A mandatory profile is a roaming profile that is configured as read-only. Users will use this profile as a roaming profile, but any changes made by the user will not be saved. The primary reason to create mandatory profiles is so that users have a consistent profile. It is possible for enthusiastic users to modify the standard profile in such a way that it adversely affects the system. This results in a call to the help desk and troubleshooting by a technician. Some companies have had one too many of these calls and have decided to use mandatory profiles to prevent these problems. As a reminder, here’s how the roaming profile works. The user logs on, the profile is retrieved from the server where it’s stored, and then the profile is copied down to the local computer. When the user logs off, any changes to the profile are copied back up to the server where the roaming profile is stored. The only difference between a roaming profile and a mandatory profile is that the changes are never copied back up to the server when the user logs off. The user can still make changes to the local profile. However, because these changes aren’t saved to the server, the next time the user logs on, the mandatory profile will be copied from the server down to the client, overwriting any changes the user may have made. There are three primary steps involved in creating a mandatory user profile: 1. Create a profile with the desired settings on a Windows 7 system. Copy it to a network share. 2. Rename ntuser.dat to ntuser.man. This is a hidden system file, so you’ll need to mod- ify the Windows Explorer view to show hidden files and show system files. The steps to do this are listed in the “Understanding User Profiles” section in this chapter. 3. Configure accounts to use the mandatory roaming user profile. This is similar to Exercise 9.6, which showed how to create a roaming user profile, except the %username% variable isn’t used. Instead, all users will use the UNC path of \\ServerName\ShareName.
597095c09.indd 421 6/2/10 3:35:07 PM 422 Chapter 9 n Managing Windows 7 in a Domain
You can set the profile path for multiple users at the same time in Active Directory Users and Computers. Use either the Shift key or the Ctrl key to select multiple user accounts. After you’ve selected all of the accounts, right-click one of them, select Properties, and then select the Profile tab, as shown in Figure 9.17.
Figure 9.17 Modifying profiles for multiple users at the same time
It’s also possible to set a mandatory profile for many users using Group Policy. This will be covered in Chapter 10.
Super-Mandatory User Profiles Windows 7 also supports super-mandatory profiles. A super-mandatory user profile is similar to a mandatory roaming user profile with one important addition. If network or server prob- lems prevent the user from downloading the mandatory profile, the user is unable to log on. With a regular mandatory user profile, the user is still able to log on even if the manda- tory user profile is unavailable. As a reminder, when a roaming profile is used, it copies the profile to the local system. If a user has previously logged on to a system and has a copy of the profile on the system, Windows 7 will use this if the share for the roaming profile is unavailable.
597095c09.indd 422 6/2/10 3:35:07 PM Understanding User Profiles 423
If you want to ensure that users are not allowed to log on unless the mandatory pro- file is downloaded, you can configure the profile to be a super-mandatory user profile. A profile is created as a super-mandatory profile by renaming the profile folder with a.man extension.
You should use super-mandatory user profiles only when the network is reliable. If network problems prevent users from accessing the share where the profile is stored, users will be prevented from logging on at all.
As a reminder, to create a mandatory roaming profile, the ntuser.dat file (located at the root of the profile) is renamed tontuser.man . This may be stored in a network share identi- fied as\\DC1\Profiles . If you want the profile to be a super-mandatory profile, you could name the share Profiles.man so that it’s accessed using a UNC path of \\DC1\Profiles.man. In addition to appending the share with .man, you also need to ensure that the client is configured to access the share using the full UNC path, including .man (\\DC1\Profiles.man).
Modifying the Default User Profile If you want new users to have consistent settings that are different from the default, you can modify the Default User profile. However, this process isn’t as simple as it sounds or as simple as it was in Windows XP. In Windows XP, you typically followed these steps to modify the default user profile: 1. Create an account and log on. (This creates a profile for this account from the Default User profile.) You would typically create another administrator account so that you would have permission to make the changes. 2. Modify the desired settings to modify the profile of the account. When all of the set- tings have been modified, log off. 3. Log on with the regular administrator account. Access the Profiles page (from the Advanced tab of System Properties), and copy the new profile over the top of the Default User profile. However, this causes problems in Windows 7 (and actually caused some problems in Windows XP). It is no longer the recommended method and isn’t even possible. Figure 9.18 shows the User Profiles page for a Windows 7 system. If you select any profile except the Default Profile, the Copy To button is disabled. You’re not able to copy an existing profile over the top of the Default Profile in Windows 7 using this screen.
597095c09.indd 423 6/2/10 3:35:07 PM 424 Chapter 9 n Managing Windows 7 in a Domain
Figure 9.18 Viewing user profiles in Windows 7
Instead, the recommended method is to use the Windows System Image Manager tool (available in the Windows Automated Installation Kit), which was covered in Chapter 1 and the Sysprep tool that was covered in Chapter 2, “Automating the Deployment of Windows 7.” The overall steps are as follows: 1. Log on with any account that you want to use as the default. The account will need administrative permissions, and you can use the Administrator account if desired. 2. Modify the desired settings to modify the profile of the account. 3. Create an unattend.xml file using Windows System Image Manager. 4. Add or modify the CopyProfile parameter so that it reads as follows:
sysprep.exe /generalize /unattend: unattend.xml
If the unattend.xml file is located in a different directory, you’ll need to include the full path.
597095c09.indd 424 6/2/10 3:35:08 PM Understanding User Profiles 425
It’s important to realize that even though you are copying the profile set- tings of the Administrator account, you are not copying the rights and per- missions. Rights and permissions are not stored in the profile, so copying the administrator’s profile to the Default User profile does not give all new users full administrative permissions.
If you need to customize the Default User profile, check out Microsoft’s Knowledge Base article 973289, which provides more in-depth details on these steps. You can find it here: http://support.microsoft.com/kb/973289.
Configuring Settings with Scripts It’s also possible to configure many of the settings using scripts. Some basic scripting was covered in Chapter 3, “Using the Command Prompt and PowerShell.” You can configure the scripts to run for an individual user within a domain by modifying the properties of the user account. As an example, imagine that someone within your company created a PowerShell script that can configure system settings for a Windows 7 computer. You are now asked to ensure it always runs when a user logs on. You could create a share on a server, place the script within the share, and then configure the user account. Figure
597095c09.indd 425 6/2/10 3:35:08 PM